Method and system for determining whether domain names are legitimate or malicious

US 9,516,058 B2
Filed: 08/09/2011
Issued: 12/06/2016
Est. Priority Date: 08/10/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the method comprising:

obtaining passive domain name system (DNS) query information, utilizing the at least one reputation engine in communication with at least one database, wherein the passive DNS query information is obtained using passive DNS collectors from DNS information;

utilizing, using the at least one reputation engine, the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and

utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for determining whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses.

Citations

18 Claims

1. A method of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the method comprising:
- obtaining passive domain name system (DNS) query information, utilizing the at least one reputation engine in communication with at least one database, wherein the passive DNS query information is obtained using passive DNS collectors from DNS information;
  
  utilizing, using the at least one reputation engine, the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and
  
  utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the statistical features also comprise:
    - evidence-based features.
  - 3. The method of claim 1, wherein the network-based features comprise:
    - border gateway protocol (BGP) features, autonomous system (AS) features, or registration features, or any combination thereof.
  - 4. The method of claim 1, wherein the zone-based features comprise:
    - string features and/or top level domain (TLD) features.
  - 5. The method of claim 4, wherein the evidence-based features comprise:
    - honeypot features and/or blacklist features.
  - 6. The method of claim 1, wherein at least one reputation engine is utilized to determine the at least one reputation for the at least one new domain.
  - 7. The method of claim 6, wherein the at least one reputation engine comprises:
    - at least one network profile modeling module;
      
      at least one network and zone domain name clustering module;
      
      or at least one reputation function module;
      
      or any combination thereof.
  - 8. The method of claim 7, wherein the at least one network profile modeling module utilizes multiple classes of domain names.
  - 9. The method of claim 8, wherein the multiple classes of domain names comprise:
    - popular domain names;
      
      common domain names, Akamai domain names, content delivery network (CDN) domain names, or dynamic DNS domain names, or any combination thereof.

10. A system of detecting malicious network behavior by teaching at least one reputation engine to determine whether at least one new domain name is likely to be used for malicious or legitimate uses, the system comprising:
- at least one reputation engine in communication with at least one hardware processor and at least one database, the at least one reputation engine configured for;
  
  obtaining passive domain name system (DNS) query information, wherein the passive DNS query information is obtained using passive DNS collectors;
  
  utilizing the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, wherein the statistical features comprise network-based features and/or zone-based features, the network-based features describing how operators who own the at least one domain name and IP addresses the at least one domain name points to are able to allocate their network resources, and the zone-based features measuring a set of related historic domain names (RHDNs) of domain names historically associated with the at least one new domain name; and
  
  utilizing the statistical features to determine at least one reputation for the at least one new domain name, by teaching the at least one reputation engine to determine whether the at least one new domain name is likely to be used for malicious or legitimate uses, and thus determine if the network communication is malicious or benign.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the statistical features also comprise:
    - evidence-based features.
  - 12. The system of claim 10, wherein the network-based features comprise:
    - border gateway protocol (BGP) features, autonomous system (AS) features, or registration features, or any combination thereof.
  - 13. The system of claim 10, wherein the zone-based features comprise:
    - string features and/or top level domain (TLD) features.
  - 14. The system of claim 13, wherein the evidence-based features comprise:
    - honeypot features and/or blacklist features.
  - 15. The system of claim 10, wherein the at least one reputation engine is utilized to determine the at least one reputation for the at least one new domain.
  - 16. The system of claim 15, wherein the at least one reputation engine comprises:
    - at least one network profile modeling module;
      
      at least one network and zone domain name clustering module;
      
      or at least one reputation function module;
      
      or any combination thereof.
  - 17. The system of claim 16, wherein the at least one network profile modeling module utilizes multiple classes of domain names.
  - 18. The system of claim 17, wherein the multiple classes of domain names comprise:
    - popular domain names;
      
      common domain names, Akamai domain names, content delivery network (CDN) domain names, or dynamic DNS domain names, or any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Antonakakis, Manos, Perdisci, Roberto, Dagon, David, Lee, Wenke
Primary Examiner(s)
Jeudy, Josnel

Application Number

US13/205,928
Publication Number

US 20120042381A1
Time in Patent Office

1,946 Days
Field of Search

726 22- 25, 713187-188
US Class Current

1/1
CPC Class Codes

H04L 61/4511 using domain name system [DNS]

H04L 63/1483 service impersonation, e.g....

Method and system for determining whether domain names are legitimate or malicious

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for determining whether domain names are legitimate or malicious

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links